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ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
Capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 Does the draft guidance cover the relevant issues about the right 
of access? 


Yes 
No 


X Unsure/don’t know 


If no or unsure/don't know, what other issues would you like to be 
covered in it? 


It is not clear who the user of the guidance is intended to be. 


We also consider it would be sensible to point out the significant changes to SARS that were 


made by the GDPR somewhere near the beginning. 


Q2 Does the draft guidance contain the right level of detail? 


O Yes 
xX No 


Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 
The document is a mixture of basic guidance; detailed guidance for public sector bodies; and 


some guidance on esoteric issues for big data companies (presumably ad-tech). 


We wonder if it would be possible to draft a basic guide for organisations and then drill into each 
area in more detail for larger organisations which have sophisticated information management 
systems. Although the guidance contains an ‘in brief section, it could also be helpful to 


incorporate links to the more detailed parts of the ACOP. 


We also consider that it would be helpful to refer to the BMA Guidance in the Accessing Health 


Data section. 


Q3 Does the draft guidance contain enough examples? 


Yes 
No 


Unsure/don’t know 


X 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


The ICO could consider providing a template SAR response letter which would helpfully set out 


headings detailing the information required in addition to the provision of a copy of the 


information. This would complement the template letter made available to data subjects. 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


Q5 On a scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
Oo O O O 


Q6 Why have you given this score? 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
0O 0O LJ 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


Information management systems 

We find the reference to ‘information management systems’ along with an expectation that 
organisations should have one unhelpful. Many smaller organisations will understandably not 
have a system that they recognise as an ‘information management system’ and it may be better 


to point out that having some way to organise and categorise your data may assist and be 


beneficial to the organisation rather than chastising organisations for not having a system when 


it is not a legal requirement and when it is a difficult term to define. 


Data ownership 
We query whether it is helpful to say “who it belongs to” on page 4. Ownership of data is a concept that is not 


usually helpful. Would it be better to refer to information that you hold as a data controller. 


It should be made clearer that the obligation only applies to controller and not data processors. 


Emails and personal data 


There is often a misunderstanding about emails being personal data just because someone has been copied 


into one. This has caused issues and it might be worth clarifying this point in the section on page 26. 


Legal professional privilege 


Page 48: there is reference to the legal professional privilege (LPP) exemption but additional guidance is 
needed to explain that the exemption goes beyond information to which LPP applies and also relates to 


information where there is a duty of confidentiality between the lawyer and the client. 


Educational records and time limits 


Page 68: it appears that the time limit for a school responding to request for a copy of an educational record 
is paused during school holidays. However, it appears that the time limit for responding to a SAR is not 
paused. It is therefore unclear whether there would be an expectation that the educational record would be 


provided in response to an SAR anyway or whether, where an SAR is made at the start of the summer 


holidays, the educational record would not require to be disclosed until 15 days after school starts again, but 


the other data would require to be disclosed during the holidays. 


Miscellaneous amendments 


We believe there is a typo at the bottom of page 18: it should say ‘reasonable’ rather than ‘excessive’. 


Page 28: it would be worth adding in the word ‘criminal’ before the word offence to emphasise that this should 
NOT be done. 


We would expect the section on ‘How should we supply the information ... ‘ to include reference to transferring 


the data securely whether provided electronically or in paper form. 


Page 37: where it states “Not all of the exemptions apply in the same way ...” we consider that should only 


apply to ‘the relevant data’ rather than ‘the SAR’. 


Q9 Are you answering as: 


O 


O 
xX 
O 


An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

An individual acting in a professional capacity 

On behalf of an organisation 

Other 


Please specify the name of your organisation: 


The Law Society of Scotland 


What sector are you from: 


Q10 How did you find out about this survey? 


O 


EI iE EAE 


ICO Twitter account 
ICO Facebook account 
ICO LinkedIn account 
ICO website 

ICO newsletter 

ICO staff member 


Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


Dae sey) a ey] 


Thank you for taking the time to complete the survey. 


